b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n   ADMINISTRATIVE COSTS CLAIMED\n    BY THE NEBRASKA DISABILITY\n     DETERMINATION SERVICES\n\n       June 2008   A-07-07-17170\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                              SOCIAL SECURITY\nMEMORANDUM\n\nDate:      June 19, 2008                                                             Refer To:\n\nTo:        Michael W. Grochowski\n           Regional Commissioner\n            Kansas City\n\nFrom:      Inspector General\n\nSubject:   Administrative Costs Claimed by the Nebraska Disability Determination Services\n           (A-07-07-17170)\n\n\n           OBJECTIVE\n\n           Our objectives were to evaluate the Nebraska Disability Determination Services\xe2\x80\x99\n           (NE-DDS) internal controls over the accounting and reporting of administrative costs,\n           determine whether costs claimed by the NE-DDS were allowable and properly allocated\n           and funds were properly drawn, and assess limited areas of the general security control\n           environment. Our audit included the administrative costs claimed by the NE-DDS\n           during Federal Fiscal Years (FY) 2005 and 2006.\n\n           BACKGROUND\n\n           The Disability Insurance (DI) program, established under Title II of the Social Security\n           Act (Act), provides benefits to wage earners and their families in the event the wage\n           earner becomes disabled. The Supplemental Security Income (SSI) program,\n           established under Title XVI of the Act, provides benefits to financially needy individuals\n           who are aged, blind, and/or disabled.\n\n           The Social Security Administration (SSA) is responsible for implementing policies for\n           the development of disability claims under the DI and SSI programs. Disability\n           determinations under both DI and SSI are performed by disability determination\n           services (DDS) in each State and other responsible jurisdictions. Such determinations\n           are required to be performed in accordance with Federal law and underlying\n           regulations. 1 In carrying out its obligation, each DDS is responsible for determining\n           claimants\xe2\x80\x99 disabilities and ensuring that adequate evidence is available to support its\n           determinations.\n\n\n\n\n           1\n               42 U.S.C. \xc2\xa7 421; 20 C.F.R. \xc2\xa7\xc2\xa7 404.1601 et seq. and 416.1001 et seq.\n\x0cPage 2 - Michael W. Grochowski\n\nTo assist in making proper disability determinations, each DDS is authorized to\npurchase medical examinations, x-rays, and laboratory tests on a consultative basis to\nsupplement evidence obtained from the claimants\xe2\x80\x99 physicians or other treating sources.\n\nSSA reimburses the DDS for 100 percent of allowable reported expenditures up to its\napproved funding authorization. The DDS withdraws Federal funds through the\nDepartment of the Treasury\xe2\x80\x99s (Treasury) Automated Standard Application for Payments\n(ASAP) system to pay for program expenditures. Funds drawn down must comply with\nFederal regulations 2 and intergovernmental agreements entered into by Treasury and\nStates under the Cash Management Improvement Act of 1990. 3\n\nAn advance or reimbursement for costs under the program must comply with the Office\nof Management and Budget\xe2\x80\x99s (OMB) Circular A-87, Cost Principles for State, Local, and\nIndian Tribal Governments. At the end of each quarter of the FY, each DDS is required\nto submit a State Agency Report of Obligations for SSA Disability Programs\n(SSA-4513) to account for program disbursements and unliquidated obligations. 4 The\nSSA-4513 reports expenditures and unliquidated obligations for personnel service\n                                                                        5\ncosts, medical costs, indirect costs, and all other nonpersonnel costs.\n\nThe Nebraska Department of Education is the NE-DDS\xe2\x80\x99 parent agency. The NE-DDS\nis located in Lincoln, Nebraska.\n\nRESULTS OF REVIEW\nOther than the areas discussed in this report, the NE-DDS had effective controls over\nthe accounting and reporting of administrative costs. With the exception of paying\nconsultative examination (CE) providers for missed CE appointments without SSA\napproval, the costs claimed by the NE-DDS during our audit period were allowable,\nproperly allocated, and funds were properly drawn. We found that the NE-DDS needed\nto improve controls over its CE provider sanction process and inventory controls.\nRegarding general security control, NE-DDS did not comply with SSA policies for\nafter-hours cleaning services, its security plan was incomplete, and its disaster recovery\nplan (DRP) had not been tested.\n\n\n\n\n2\n    31 C.F.R. \xc2\xa7 205.1 et seq.\n3\n    Pub. L. No. 101-453, 104 Stat. 1058, in part amending 31 U.S.C. \xc2\xa7\xc2\xa7 3335, 6501, and 6503 (1990).\n4\n SSA, POMS, DI 39506.201 and 202. POMS, DI 39506.200 B.4 provides, in part, that \xe2\x80\x9cUnliquidated\nobligations represent obligations for which payment has not yet been made. Unpaid obligations are\nconsidered unliquidated whether or not the goods or services have been received.\n5\n    SSA, POMS, DI 39506.201 and 202.\n\x0cPage 3 - Michael W. Grochowski\n\nCE PROVIDERS PAID FOR MISSED APPOINTMENTS\n\nThe NE-DDS paid CE providers a fee when claimants missed their CE appointments.\nSpecifically, the NE-DDS paid the CE provider up to 50 percent of the fee for the\nmissed CE. As a result, SSA reimbursed the NE-DDS $229,519 for payments to CE\nproviders for missed CE appointments during FYs 2005 and 2006. The payments\nrepresented more than 7 percent of total CE expenses during the same timeframe.\nSSA had not approved the payments for missed CE appointments, as required.\n\nIn response to a prior audit, SSA adopted a no-pay policy for missed CE\n               6\nappointments. In April 2000, SSA clarified its no-pay policy and stated that, on an\nindividual case basis, the DDS may request an exemption. 7,8 To obtain an exemption,\nthe DDS is instructed to work with its SSA regional office (RO) to reach agreement on\npayments to CE providers for missed appointments. After an agreement is reached,\nthe RO would then submit the request, along with supporting documentation, to the\nOffice of Disability Determinations (ODD) for exemption consideration. However, we\nfound that the NE-DDS did not work with the Kansas City RO on an exemption. Rather,\nit implemented a payment policy for missed CE appointments without requesting SSA\xe2\x80\x99s\napproval.\n\nNE-DDS\xe2\x80\x99 administrator stated that he believes CE providers should be compensated for\nthe loss of revenue resulting from missed CE appointments. We recommend SSA\ninstruct the NE-DDS to refund $229,519 for missed CE appointments unless it can\nprovide acceptable evidence that paying for these missed CE appointments is\nappropriate. We also recommend that SSA instruct the NE-DDS to immediately stop\npayments to providers for missed CE appointments until an exemption is requested and\napproved.\n\nSANCTION LISTING\n\nThe NE-DDS did not review the Health and Human Services, Office of Inspector\nGeneral, (HHS/OIG) List of Excluded Individuals/Entities to ensure CE providers it\nintended to utilize were not sanctioned from participation in any Federal or federally\nassisted program. SSA policy indicates that a qualified medical source must not be\n\n\n\n\n6\n Department of Health and Human Services, Office of Inspector General, Payments Under the Disability\nDetermination Program for Medical Appointments Made by Claimants of Disability Insurance and\nSupplemental Security Income Benefits (A-01-87-02004), December 1987.\n7\n    SSA, Office of Disability, DDS Administrators' Letter No. 536, April 25, 2000.\n8\n    SSA, POMS, DI 39545.275.\n\x0cPage 4 - Michael W. Grochowski\n\nsanctioned from participation in Federal programs. 9 Underlying SSA procedures\nrequire that, before using the services of any CE provider, DDSs must review the Listing\nof Excluded Individuals/Entities for each CE provider at least annually. 10\n\nThe NE-DDS is at-risk of contracting with CE providers whose services have been\nsanctioned by other Federal agencies if it does not review the HHS/OIG sanction listing.\nThe NE-DDS stated it was unaware of the requirement to review the HHS/OIG sanction\nlisting. Since learning of this requirement, NE-DDS stated it has reviewed the HHS/OIG\nsanction listing and incorporated this procedure in its CE provider review process. We\nrecommend SSA ensure the NE-DDS continues to review the HHS/OIG List of\nExcluded Individuals/Entities as part of its CE provider background check process.\n\nINVENTORY CONTROL\n\nThe NE-DDS did not maintain accurate and complete inventory records of computer\nequipment.\n\n      \xe2\x80\xa2   We could not locate two servers and two laptop computers that were listed on\n          the official inventory records. After our on-site inventory review, NE-DDS\n          management reported that one of the laptops was located and the other laptop\n          had been surplused. We do not know whether the servers contained personally\n          identifiable information (PII). However, the NE-DDS stated the PII would have\n          been erased since the equipment was out of service. 11\n\n      \xe2\x80\xa2   The NE-DDS\xe2\x80\x99 official inventory records did not include desktop and laptop\n          computers that SSA purchased and shipped directly to the NE-DDS.\n\nThe NE-DDS did not record this computer equipment stating it believed SSA was\nresponsible for maintaining the inventory of computer equipment SSA purchased for the\nNE-DDS. Furthermore, the NE-DDS stated that, although SSA policy requires the\ninventory of equipment, this policy defines equipment as having a minimum per unit\n                           12\nacquisition cost of $5,000. The NE-DDS believes it does not need to inventory\ncomputer equipment purchased with SSA-applied funds.\n\nWe do not agree with the NE-DDS\xe2\x80\x99 assertions that they are exempt from documenting\nSSA supplied computer into their inventory system. Although SSA policy defines\nequipment using a minimum per unit acquisition cost, this same policy also makes a\nclear distinction that computer equipment is to be considered separately from other\n\n9\n    SSA, POMS, DI 39569.300 A.\n10\n     SSA, POMS, DI 39569.300 B.1 and 2.\n11\n  We notified the Kansas City RO of the missing computer equipment. Within 24 hours of the notification,\nSSA\xe2\x80\x99s RO informed the NE-DDS Administrator to send a report of suspected loss of PII to the National\nComputer Service Center, and he did so.\n12\n     SSA, POMS, DI 39530.001.B.\n\x0cPage 5 - Michael W. Grochowski\n\nequipment. 13 Additional SSA policy requires an appropriate inventory and control\nmechanism to account for all property used for disability program purposes. 14 It is\nnoteworthy that Nebraska Department of Education\xe2\x80\x99s inventory policy, issued in\nMarch 2007, specifically requires that the NE-DDS record and account for computer\nequipment regardless of per unit acquisition cost, and its tracking system must also\nidentify the current employee assigned accountability for specific computers. 15\nTherefore, according to SSA and State policy, a minimum per unit acquisition cost does\nnot apply regarding the inventory of computer equipment.\n\nThe NE-DDS also states that it does not own the computer equipment purchased for it\nby SSA. We do not agree with the NE-DDS\xe2\x80\x99 assertions regarding the ownership of\nSSA-supplied computer equipment. SSA\xe2\x80\x99s inventory policy clearly states the title to\nequipment rests with the State, and the State is responsible for maintenance and\ninventory of all equipment whether purchased through SSA or the State. 16\n\nNot maintaining adequate inventory records hinders detection of stolen or misplaced\nequipment. By creating an appropriate inventory system for computer equipment, the\nNE-DDS will create security controls to protect records created by the State in\n                                                                            17\nperforming the disability determination function, as required by SSA policy. We\nrecommend SSA instruct the NE-DDS to immediately establish and maintain equipment\ninventory in compliance with the policies of SSA and the Nebraska Department of\nEducation. We also recommend that SSA verify the NE-DDS\xe2\x80\x99 new inventory system\ncomplies with appropriate policies.\n\nACCESS CONTROLS\n\nThe NE-DDS did not comply with SSA policies for cleaning services, which require that\nall offices implement a clean-desk policy or daytime cleaning, 18 and that non-Agency\nemployees, such as cleaning personnel, must not have access to claimant data, and\n                                                         19\nany computer equipment used for data input or storage. NE-DDS\xe2\x80\x99 cleaning services\nwere provided during nonwork hours, and the NE-DDS did not practice a clean-desk\n\n\n\n\n13\n     SSA, POMS, DI 39530.001 A. 4.\n14\n     SSA, POMS, DI 39563.200.\n15\n     Nebraska Department of Education Administrative Memorandum #303, March 2007.\n16\n     SSA, POMS, DI 39530.001 A. 2. and SSA, POMS, DI 39530.020 A.1.\n17\n     SSA, POMS, DI 39563.200.\n18\n     SSA, POMS, DI 39566.010 B.2.a. and B.6.e.\n19\n     SSA, POMS, DI 39566.030 B.\n\x0cPage 6 - Michael W. Grochowski\n\npolicy. Therefore, cleaning personnel could gain unauthorized access to sensitive\ninformation and computer equipment. A lack of access controls increases the risk of\nunauthorized access and loss of sensitive information and equipment.\n\nThe NE-DDS stated that cleaning during regular working hours is disruptive and\ndiminishes the quality of service to the public since it is required to assist the public by\ntelephone. We recommend SSA instruct the NE-DDS to either implement cleaning\nservices during work hours or adhere to SSA\xe2\x80\x99s clean desk policy and other limitations\non access to claimant data.\n\nINCOMPLETE SECURITY PLAN\n\nThe NE-DDS\xe2\x80\x99 security plan did not adhere to SSA\xe2\x80\x99s policy requiring a security plan\n                                                                          20\nconsisting of eight parts, with each part containing specific information. We found\nthat the NE-DDS security plan was missing three of the eight required parts: (1) the\nDDS Systems Interconnection Access Security Plan, (2) the Violations Reports and\nResolution Plan, and (3) the Risk Assessment.\n\nFurthermore, essential information was missing in the other five parts of the security\nplan.\n\n1. The Physical DDS Security Description/Profile was missing a line of succession or\n   authority in the event of a disaster.\n2. The Systems Security Awareness and Training Plan was missing information on\n   how newly hired employees and contractors are trained.\n3. The Tri-Annual Systems Review/Recertification Plan was missing the tri-annual\n   recertification process, the DDS policy on platform security, and the instructions for\n   the comprehensive integrity review process.\n4. The Continuity of Operations Plan was missing a description of SSA and NE-DDS\n   responsibilities and a description of workload and workflow of the NE-DDS.\n5. The DRP did not quantify what local resources are needed to operate the NE-DDS\n   in the event of a disaster.\n\nBecause there was no complete security plan, there was a risk that critical business\nprocesses were not protected or would not recover timely in the event of a disaster. A\ndelay in creating a complete security plan could result in a longer recovery period\nfollowing a catastrophic event. NE-DDS personnel stated that conversion to electronic\nfolders was given priority over the security plan, and, since the conversion is complete,\nthe NE-DDS plans to create a new security plan in accordance with SSA\xe2\x80\x99s policy. We\nrecommend SSA assist the NE-DDS in the timely creation of a security plan in\naccordance with its policy.\n\n\n\n20\n     SSA, POMS, DI 39566.120 C.\n\x0cPage 7 - Michael W. Grochowski\n\nDRP NOT TESTED\n                                                                21\nThe NE-DDS\xe2\x80\x99 DRP was not tested as set forth in SSA policy. The DRP documents\nDDS data and personnel information involved in restoring system operations that are\nvital to disaster recovery. As a result of not testing the DRP, there was a risk that\ncritical business processes were not protected or would not recover timely in the event\nof a disaster. NE-DDS\xe2\x80\x99 delay in testing the DRP could result in a longer recovery period\nfollowing a catastrophic event. We recommend SSA work with the NE-DDS to ensure\nthe timely testing of the DRP.\n\nCONCLUSION AND RECOMMENDATIONS\n\nOther than the areas discussed in this report, the NE-DDS had effective controls over\nthe accounting and reporting of administrative costs. With the exception of paying CE\nproviders for missed CE appointments without SSA approval, the costs claimed by the\nNE-DDS during our audit period were allowable, properly allocated, and funds were\nproperly drawn. We found that the NE-DDS needed to improve controls over its CE\nsanctioned provider process and inventory controls. Regarding general security control,\nNE-DDS did not comply with SSA policies for after hours cleaning services, its security\nplan was incomplete, and its DRP had not been tested.\n\nWe recommend the SSA Regional Commissioner:\n\n     1. Instruct the NE-DDS to refund $229,519 for missed CE appointments unless it\n        can provide acceptable evidence that paying for these missed CE appointments\n        is appropriate.\n\n     2. Instruct the NE-DDS to immediately stop payments to providers for missed CE\n        appointments until an exemption is requested and approved.\n\n     3. Ensure the NE-DDS continues to review the HHS/OIG List of Excluded\n        Individuals/Entities as part of its consultative examiner background check\n        process.\n\n     4. Instruct the NE-DDS to immediately establish and maintain proper equipment\n        inventory in compliance with policies of SSA and the Nebraska Department of\n        Education.\n\n     5. Verify the NE-DDS\xe2\x80\x99 new inventory system complies with appropriate policies.\n\n\n\n21\n  SSA, POMS, DI 39566.120 C.7.b. In accordance with this SSA policy, the testing will be performed with\nheadquarters hardware in the National Computer Center\xe2\x80\x99s Disaster Test Facility. The policy provides that\nthe Office of Telecommunications and Systems Operations, an SSA component, performs this in\nconjunction with DDS systems staff and vendors who provide disaster recovery resources, and they will\nschedule the DDSs for backup and recovery testing.\n\x0cPage 8 - Michael W. Grochowski\n\n   6. Instruct the NE-DDS to either implement cleaning services during work hours or\n      adhere to SSA\xe2\x80\x99s clean-desk policy during nonwork hours and other limitations on\n      access to claimant data.\n\n   7. Assist the NE-DDS in the timely creation of a security plan in accordance with its\n      policy.\n\n   8. Work with the NE-DDS to ensure the timely testing of NE-DDS\xe2\x80\x99 DRP.\n\nAGENCY COMMENTS\nIn commenting on our draft report, SSA agreed with all of our recommendations. See\nAppendix C for the full text of SSA\xe2\x80\x99s comments.\n\nNEBRASKA DISABILITY DETERMINATION SERVICES\xe2\x80\x99 COMMENTS\n\nIn commenting on our draft report the NE-DDS agreed with three of the eight\nrecommendations in our audit report. See Appendix D for the full text of the NE-DDS\xe2\x80\x99\ncomments.\n\nThe NE-DDS disagreed with Recommendations 1 and 2 stating in part that paying for\nmissed CE appointments is a good business practice; consistent with its parent agency\npractice; consistent with standard business practice in the community; and contributes\nto making accurate determinations. The NE-DDS also stated that SSA\xe2\x80\x99s attempt to\ncollect reimbursement of nearly a quarter of a million dollars constitutes a threat to the\ncontinuation of the state-federal relationship in Nebraska.\n\nThe NE-DDS also disagreed in part with Recommendations 4 and 5 citing a different\ninterpretation of the SSA inventory policies and procedures than what we outlined in our\nreport. However, the NE-DDS commented that it will agree to conform to SSA\ninventory requirements once the requirements are stated.\n\nThe NE-DDS disagreed with Recommendation 6 stating that SSA policy gives the NE-\nDDS discretion as to whether it chooses to implement cleaning services during work\nhours and adhere to SSA\xe2\x80\x99s clean desk policy.\n\nOIG RESPONSE\n\nThe SSA Regional Office has already taken actions to implement Recommendations\n1 and 2. Following the issuance of our draft report, SSA worked with the NE-DDS to\ndevelop a request for exemption of payment for missed appointments, allowing for\nreduced reimbursement instead of paying the CE provider up to 50 percent of the fee\nfor the missed CE during our audit period. This exemption has been approved by the\nOffice of Disability Determinations. The NE-DDS plans to implement this new\n\x0cPage 9 - Michael W. Grochowski\n\nprocedure on June 2, 2008. Since SSA reached agreement on the exemption, it does\nnot plan to request a refund of the funds paid for missed appointments. Therefore,\nSSA has taken appropriate actions to address these recommendations and the\nconcerns stated in the NE-DDS\xe2\x80\x99 comments are no longer applicable.\n\nWe remain committed to Recommendations 4 and 5 which require the NE-DDS to\nestablish and maintain proper equipment inventory in compliance with policies of SSA\nand the Nebraska Department of Education and instruct SSA to verify the NE-DDS\xe2\x80\x99 new\ninventory system complies with appropriate policies. However, the NE-DDS\xe2\x80\x99 comments\nto our draft report indicates that it may not fully understand SSA requirements for the\ninventory process. Therefore, SSA should discuss the inventory requirements with the\nNE-DDS as part of its process for taking corrective actions on our recommendations.\n\nWe also remain committed to our recommendation that the NE-DDS either implement\ncleaning services during work hours or adhere to SSA\xe2\x80\x99s clean-desk policy.\nImplementation of this recommendation is necessary for the protection of disability\nclaimants\xe2\x80\x99 PII that is not protected by computer PINS and passwords. The minimal\neffort required on the part of the NE-DDS to implement a clean-desk policy is far\noutweighed by the protection it would provide disability claimants.\n\nOTHER MATTER\n\nPersonally Identifiable Information\n\nDisability claimants of the NE-DDS had PII routinely disclosed to vendors. The NE-\nDDS processes over 18,000 disability determinations each FY. During the disability\ndetermination process, the NE-DDS purchases services that include medical evidence\n(CE and medical evidence of record) and claimant travel. Our review of medical and\napplicant travel invoices revealed that these documents contained PII including name,\naddress, date of birth, Social Security number, and telephone number. Although we\nhave no reason to believe this information has been abused, this practice could\npotentially result in abuse of claimant\xe2\x80\x99s PII.\n\nFederal guidance dictates that agencies should reduce their current holdings of all PII\nto the minimum necessary for the proper performance of a documented agency\nfunction. 22 Agencies must also review their use of Social Security numbers in agency\nsystems and programs to identify instances in which collection or use of the Social\nSecurity number is superfluous. 23\n\n\n\n\n22\n  OMB Memorandum M-07-16, Attachment 1 \xc2\xa7 B.1.a. This Memorandum (page 2) also indicates a few\nsimple and cost effective steps to greatly reduce the risks related to a data breach of PII, such as limiting\naccess to only those individuals who must have such access. Access is defined as the ability or\nopportunity to gain knowledge of PII.\n23\n     OMB Memorandum M-07-16, Attachment 1 \xc2\xa7 B.2.a.\n\x0cPage 10 - Michael W. Grochowski\n\nOn October 5, 2007, SSA ODD informed ROs that DDS\xe2\x80\x99 should review their processes\nto eliminate the use of the Social Security numbers on correspondence where possible.\nThe NE-DDS informed us that it has begun the process of removing the Social Security\nnumber from documents where it is not absolutely necessary.\n\n\n\n\n                                              Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 Nebraska Disability Determination Services Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                             Appendix A\n\nAcronyms\nAct           Social Security Act\nASAP          Automated Standard Application for Payments\nCE            Consultative Examination\nC.F.R.        Code of Federal Regulations\nDDS           Disability Determination Services\nDI            Disability Insurance\nDRP           Disaster Recovery Plan\nFY            Fiscal Year\nHHS           Health and Human Services\nNE-DDS        Nebraska Disability Determination Services\nODD           Office of Disability Determinations\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nPII           Personally Identifiable Information\nPOMS          Program Operations Manual System\nPub. L. No.   Public Law Number\nRO            Regional Office\nSSA           Social Security Administration\nSSA-4513      State Agency Report of Obligations for SSA Disability Programs\nSSI           Supplemental Security Income\nTreasury      Department of the Treasury\nU.S.C.        United States Code\n\x0c                                                                     Appendix B\n\nScope and Methodology\nSCOPE\n\nTo achieve our objective, we:\n\n \xe2\x80\xa2   Reviewed applicable Federal laws and regulations, pertinent parts of the Social\n     Security Administration\xe2\x80\x99s (SSA) Program Operations Manual System and other\n     criteria relevant to administrative costs claimed by the Nebraska Disability\n     Determination Services (NE-DDS), and the draw down of SSA program\n     appropriations.\n\n \xe2\x80\xa2   Interviewed staff at the Nebraska Department of Education and the NE-DDS.\n\n \xe2\x80\xa2   Reviewed State policies and procedures related to personnel, medical services,\n     and all other nonpersonnel costs.\n\n \xe2\x80\xa2   Evaluated, tested, and documented internal controls regarding accounting, financial\n     reporting, and cash management activities.\n\n \xe2\x80\xa2   Reconciled State accounting records to the administrative costs reported by the\n     NE-DDS on the State Agency Report of Obligations for SSA Disability Programs\n     (SSA-4513) for Federal Fiscal Years (FY) 2005 through 2006.\n\n \xe2\x80\xa2   Examined specific administrative expenditures (personnel, medical services, and all\n     other nonpersonnel costs) incurred and claimed by the NE-DDS for FYs 2005 and\n     2006 on the SSA-4513. We used statistical sampling to select expenditures to test\n     for support of the medical service and all other nonpersonnel costs as discussed in\n     the following methodology section of this appendix.\n\n \xe2\x80\xa2   Examined the indirect costs claimed by NE-DDS for FYs 2005 through 2006.\n\n \xe2\x80\xa2   Compared the amount of SSA funds drawn for support of program operations to\n     the expenditures reported on the SSA-4513.\n\n \xe2\x80\xa2   Determined whether selected funds from cancelled warrants were properly returned\n     to SSA.\n\n \xe2\x80\xa2   Determined whether unliquidated obligations were properly supported.\n\n \xe2\x80\xa2   Reviewed the NE-DDS\xe2\x80\x99 general security control.\n\n\n\n\n                                           B-1\n\x0c \xe2\x80\xa2   Reviewed Office of Management and Budget guidance related to safeguarding\n     personally identifiable information.\n\nWe determined that the data provided by Nebraska Department of Education and\nNE-DDS used in our audit were sufficiently reliable to achieve our audit objectives. We\nassessed the reliability of the data by reconciling it with the costs claimed on the\nSSA-4513. We also conducted detailed audit testing on selected data elements in the\nelectronic data files.\n\nWe performed work at the NE-DDS, and the Kansas City, Missouri, Office of Audit. We\nconducted fieldwork from June 2007 through January 2008. The audit was conducted\nin accordance with generally accepted government auditing standards.\n\nMETHODOLOGY\n\nSAMPLING METHODOLOGY\n\nThe sampling methodology encompassed the four general areas of costs reported on\nthe SSA-4513: (1) personnel, (2) medical, (3) indirect, and (4) all other nonpersonnel\ncosts. We obtained a data extract of all costs and the associated invoices for FYs\n2005 through 2006 for use in statistical sampling. This was obtained from the\naccounting systems used in the preparation of the SSA-4513.\n\nPersonnel Costs\n\nWe randomly selected 1 pay period, the month of August, in FY 2006 for review. We\nthen selected a random sample of 50 regular employees for review and testing of the\npayroll records. For medical consultant costs, we also selected the month of August, in\nFY 2006, for review. We then selected all 19 medical consultants for review and testing\nof the payroll records.\n\nMedical Costs\n\nWe sampled 100 items (50 items from each of FY 2005 and 2006) using a stratified\nrandom sample of medical costs based on the proportion of medical evidence of record\nand consultative examination costs to the total medical costs claimed.\n\n\n\n\n                                          B-2\n\x0cIndirect Costs\n\nNE-DDS indirect costs are computed by applying a federally approved rate to a cost\nbase. 1 This methodology was approved by the United States Department of Education,\nwhich is the Federal agency designated to negotiate and approve the indirect cost rate.\nOn the final SSA-4513s, the NE-DDS claimed indirect costs of $460,944 for FY\n2005 and $511,934 for FY 2006. We reviewed the FY 2005 and 2006 indirect cost\ncalculations to ensure the correct rate was applied.\n\nAll Other Nonpersonnel Costs\n\nWe sampled 100 items (50 expenditures from FY 2005 and 50 from FY 2006) using a\nstratified random sample. The random sample was based on the proportion of costs in\neach of the cost categories to the total costs claimed.\n\n\n\n\n1\n  Total direct costs including the remunerations of medical consultants less items of equipment, alterations\nand renovations flow-through, food, other medical costs and the portion of each competitive bid sub-award\nin excess of $25,000 regardless of the period covered by that sub-award.\n\n\n                                                    B-3\n\x0c                  Appendix C\n\nAgency Comments\n\x0cSent: Thursday, May 08, 2008 4:36 PM\nSubject: Signed Draft Report (A-07-07-17170) - Kansas City Response\n\nTo:          Inspector General\n\nFrom:        Regional Commissioner\n             Kansas City Region\n\nSubject:     Administrative Costs Claimed by the Nebraska Disability Determination Services\n             (A-07-07-17170) - Response\n\nThank you for sharing the draft report of the administrative audit for fiscal years 2005 and 2006\nconducted at the Nebraska Disability Determination Services (DDS). The preliminary findings\nillustrate that overall the Nebraska DDS has effective controls over the accounting and reporting\nof administrative costs. The auditors did identify the following recommendations that require\ncorrective action or improved processes. I agree with the recommendations outlined in the draft\nreport. We will work with the DDS to correct these findings.\n\nRecommendations:\n1. Instruct the Nebraska DDS to refund $229,519 for missed CE appointments unless it can\n   provide acceptable evidence that paying for these missed CE appointments is appropriate.\n2. Instruct the DDS to immediately stop payments to providers for missed CE appointments\n   until an exemption is requested and approved.\n\n      Action Pending: The Regional Office worked with the Nebraska DDS to develop a request\n      for exemption of payment for missed appointments, allowing for reduced reimbursement.\n      This exemption has been approved by the Office of Disability Determination. The DDS\n      plans to implement this new procedure on June 2, 2008, which will allow the DDS enough\n      time to inform their consultative examination panelists of the change in their policy. Since\n      we have now come to an agreement on this exemption, the Region does not plan to request a\n      refund of DDS funds paid for missed appointments.\n\n3. Ensure the DDS continues to review the HHS/OIG List of Excluded Individuals/Entities as\n   part of its consultative examiner background check process.\n\n      Action Pending: The DDS is now aware of the requirement to review the HHS/OIG\n      sanction listing and will incorporate this into their CE provider review process. The Center\n      for Disability Professional Relation's Officer will follow-up with the DDS during\n      Professional Relations visits to ensure this is being done on a regular basis.\n\n4. Instruct the DDS to immediately establish and maintain proper equipment inventory in\n   compliance with policies of SSA and the Nebraska Department of Education.\n5. Verify the DDS\xe2\x80\x99 new inventory system complies with appropriate policies.\n\n\n\n\n                                                 C-1\n\x0c   Action Pending: The Center for Disability Programs will work with the DDS to see that\n   they establish proper equipment inventory and verify the new system complies with\n   appropriate policies.\n\n6. Instruct the DDS to either implement cleaning services during work hours or adhere to SSA\xe2\x80\x99s\n   clean-desk policy during non-work hours and other limitations on access to claimant data.\n\n   Action Pending: The DDS is evaluating options to comply with SSA policies for cleaning\n   services.\n\n7. Assist the DDS in the timely creation of a security plan in accordance with its policy.\n\n8. Work with the DDS to ensure the timely testing of the DDS\xe2\x80\x99 Disaster Recovery Plan.\n\n   Action Pending: The Center for Disability Programs will work with the DDS to develop a\n   complete security plan that adheres to SSA's policy requirements. The Office of Disability\n   Determination, Division of DDS Systems, will be contacted regarding the possibility of\n   testing the Nebraska DDS Disaster Recovery Plan.\n\nOTHER MATTER\n\nPersonally Identifiable Information (PII)\nDisability claimants of the DDS had PII routinely disclosed to vendors. Review of medical and\napplicant travel invoices revealed that these documents contained PII including name, address,\ndate of birth, Social Security number, and telephone number.\n\n    Action Pending: The DDS is working to remove the Social Security number from all\n    documents where it is not absolutely necessary.\n\nWe appreciate the auditor's exceptional communication and cooperation with the DDS and\nRegional Office during the course of the audit process. We hope to have all matters addressed by\nthe time the final audit report is received. If you have questions, please contact me at 816-936-\n5700. If your staff needs additional assistance or information, they may contact Linda Kerr-\nDavis, Disability Program Administrator for Nebraska, at 816-936-5685.\n\n                                             /s/\n                                    Michael W. Grochowski\n\n\n\n\n                                               C-2\n\x0c                                    Appendix D\n\nNebraska Disability Determination Services\nComments\n\x0c                   NEBRASKA DEPARTMENT OF EDUCATION\n             Disability Determinations Section\n         Mailing Address: PO Box 82530 - Lincoln, Nebraska 68501-2530 - Phone (402) 471-2961\n                                             FAX # 402-471-3626\n           Determinations for Social Security and Supplemental Security Income Disability\n\n\n                                                         May 14, 2008\n\nPatrick P. O\xe2\x80\x99Carroll, Jr.\nOffice of Inspector General\nSocial Security Administration\nBaltimore, MD 21235-0001\n\nDear Mr. O\xe2\x80\x99Carroll:\n\n                                Re:     Audit A-07-07-17170\n\nBy letter dated April 14, 2008, your office conveyed a draft Audit Report relative to the\nadministrative costs claimed by the Nebraska Disability Determinations Services. The\naudit covered fiscal years 2005 and 2006. You requested written comments on each of\nthe recommendations contained in the draft report. This letter serves as the response of\nthe Nebraska Department of Education.\n\nBACKGROUND\n\nThe relevant statutes and regulations create an opportunity for the state and federal\ngovernments to maintain a partnership in the administration of the Social Security\nDisability Program. Participation is voluntary for the states. SSA may terminate its\nrelationship with a state in the presence of performance that persistently falls below\nSSA\xe2\x80\x99s established standards.\n\nAll states presently participate in the program which is evidence that the states and SSA\nfeel that there are mutual advantages in doing so. For SSA, the advantages are tangible\nand obvious. They most notably include having exclusive access to points of business\npresence in every state and to a trained and experienced state workforce whose\ncompensation is far less than would be the case if the work were performed by federal\nemployees. Simply and significantly, SSA saves a lot of money by having the disability\ndetermination function performed by the states.\n\nFor the states, the benefits are less concrete, and the financial incentive, if any, is small.\nSSA does fund all operational expenses. Additionally, SSA reimburses the states for\nthe administrative overhead (indirect costs) associated with participating in the\nprogram. But since the state does not \xe2\x80\x9ckeep\xe2\x80\x9d any of the funding for operational\n\n\n\n                                                  D-1\n\x0cexpenses and since the indirect costs are fair in terms of the added expense to the state,\nthere is little or nothing resembling a \xe2\x80\x9cprofit\xe2\x80\x9d for the states.\n\nWhat each state does experience from the partnership is an opportunity to play a role in\nassuring that its residents receive an acceptable level of service in the administration of\nthe program. Service to its citizens and fair and appropriate regard for state\ngovernment in general and the state business community are the incentives for state\nparticipation in the program.\n\nIn Nebraska, DDS management is sometimes asked by other officials in state\ngovernment --- legislators, their staffs, budget analysts, and a former governor\xe2\x80\x99s chief\nof staff --- \xe2\x80\x9cwhy is this a state program? why not just turn this over to SSA? is keeping\nthis program really worth the risk from a PR and liability point of view?\xe2\x80\x9d\n\nThe structure and nature of the state federal partnership has evolved over the history of\nthe program in ways that are relevant to some of the findings of this audit. Before the\nenactment of Public Law 96-265 in 1980, the business relationships between the state\nand federal components were determined by individually negotiated contracts. This\nenabled each state to declare and negotiate the terms under which it would perform\nfunctions on behalf of SSA. Under 96-265, the contracts were invalidated and SSA\nwas empowered to issue regulations that would define the business relationship. Such\nregulations were issued on May 29, 1981. The fundamental understanding was that\nSSA would provide the policies, workload, performance expectations, funding, and\noversight while the states would provide a business environment, business rules, and\npersonnel.\n\nTwo citations from the original regulation are relevant:\n\n       \xe2\x80\x9cWe (SSA) do not intend to become involved in the State\xe2\x80\x99s ongoing\n       management of the program except as necessary and in accordance with these\n       regulations\xe2\x80\x9d.\n\n       \xe2\x80\x9cThe States will have control over management of their operations as long as\n       their performance is adequate under the standards which we set\xe2\x80\x9d.\n\nBut as time has passed, SSA has increasingly sought to determine business rules,\nadministrative procedures, etc. within the DDSs. This observation is made here because\nit becomes relevant to some of the specific findings of the audit. At least a theoretical\npossibility exists that the trend in SSA determination and enforcement of administrative\nand business rules would so compromise a state\xe2\x80\x99s reason for being in the program as to\ncompel reexamination of the state\xe2\x80\x99s position.\n\n\n\n\n                                                 D-2\n\x0cRESULTS OF THE REVIEW\n\nPAYMENT TO CE PROVIDERS FOR MISSED APPOINTMENTS\n\nOIG observed that the DDS has a practice of paying health care providers a fee when\nclaimants fail to appear for their scheduled appointments, that this practice had not\nbeen approved by SSA, and that this is not consistent with SSA instructions. OIG\nrecommends that SSA instruct the DDS to immediately stop paying such a fee and to\nrefund $229,519.\n\n\nDDS disagrees with OIG\xe2\x80\x99s recommendation for the following reasons:\n\n   \xe2\x80\xa2   paying such a fee is a good business practice;\n   \xe2\x80\xa2   it is consistent with the parent agency practice;\n   \xe2\x80\xa2   it is consistent with standard business practice in the community;\n   \xe2\x80\xa2   it contributes to our highest priority of making accurate determinations;\n   \xe2\x80\xa2   permitting the DDS to exercise its own discretion on this matter (and potentially\n       on other matters) is consistent with the fundamental understanding in having a\n       state-federal partnership;\n   \xe2\x80\xa2   SSA may lack the regulatory authority to impose its requirement on this matter;\n   \xe2\x80\xa2   attempting to effectuate a payment of nearly a quarter of a million dollars\n       constitutes a threat to the continuation of the state-federal relationship in\n       Nebraska.\n\nPaying the fee is a good business practice. When DDS schedules an appointment with\na medical provider, that provider blocks out time that could otherwise have been \xe2\x80\x9csold\xe2\x80\x9d\nto another purchaser. This is particularly important in the case of psychologists who\nschedule an hour or more of their time to the exclusion of all other activities. When our\nclaimant fails to appear for the examination, the time and business opportunity is lost.\nAsking the provider to take this risk with no opportunity for compensation is unfair and\nunreasonable. Our examination providers are our business partners, the success of our\noperations depend upon them, and we value their good will. The OIG recommendation\nis not consistent with maintaining good business relationships.\n\nIt is consistent with the parent agency practice. In comparable situations, most notably\nthe contracting for translation services, the parent agency pays a fee to professional\nservice provider when he or she is present and ready to provide the service but the\nclient fails to appear and a business opportunity is consequently lost. When SSA\nchooses to do business with us, especially under a regulation which states an intention\nto defer to local business practices, it gives up its absolute right to unilaterally dictate\nbusiness practices. If exercise of such an absolute right is essential in SSA\xe2\x80\x99s view, then\nwe acknowledge SSA\xe2\x80\x99s option to make arrangements with some other entity to\nschedule and pay for consultative examinations.\n\n\n\n                                                 D-3\n\x0cIt is consistent with standard business practice in the community.\n\nMedical practitioners generally assess charges to patients who make appointments and\nwho do not appear for the appointments without having given adequate notice of\ncancellation. Expecting practitioners to treat DDS differently than their patients is not\nreasonable.\n\nOIG\xe2\x80\x99s recommendation runs counter to our highest objective. The top priority of the\nDDS is to make correct and accurate determinations of eligibility for disability benefits.\nDoing so requires that we attempt to recruit the best and most competent sources for\nmedical examinations. Not surprisingly, the best sources are those in highest demand.\nNot paying a fee for missed appointments will cause us to lose the opportunity to do\nbusiness with providers who are in highest demand.\n\nSSA may lack the regulatory authority to require that no fees be paid in these\ncircumstances.\n\nIn the current CFR, SSA states its basic intent as follows:\n\xc2\xa7404.1603 Basic responsibilities for us and the State.\n\n(a) General. We will work with the State to provide and maintain an effective system for processing claims of those\nwho apply for and who are receiving benefits under the disability program. We will provide program standards,\nleadership, and oversight. We do not intend to become involved in the State's ongoing management of the\nprogram except as is necessary and in accordance with these regulations. The State will comply with our\nregulations and other written guidelines.\n\nWith regard to payment for medical purchases, the CFR states:\n\xc2\xa7404.1624 Medical and other purchased services.\n\nSubject to the provisions of \xc2\xa7405.805(b)(2) of this chapter in claims adjudicated under the procedures in part 405 of\nthis chapter, the State will determine the rates of payment to be used for purchasing medical or other services\nnecessary to make determinations of disability. The rates may not exceed the highest rate paid by Federal or other\nagencies in the State for the same or similar type of service. The State will maintain documentation to support the\nrates of payment it uses.\n\nClearly, payment for missed appointments falls under the heading of purchased medical\nservices and clearly the CFR defers to the state practice. While OIG or SSA may quote\nother much more general phraseology (such as, \xe2\x80\x9cthe DDS will follow our guidelines),\ndeference must go to the more specific language.\n\nThreatening to attempt to recover money paid for missed appointments could have\nundesired consequences for the future of the state federal relationship. As mentioned in\nthe previous section, there is little in the way of tangible benefit for the state in this\npartnership. For SSA to threaten to recover a large amount of money (or any amount of\nmoney), would further weaken the rationale. It would create the appearance of a\nsituation in which the best the state could do would be to have the federal partner cover\n\n\n\n\n                                                               D-4\n\x0cthe expenses of doing federal work but in which there would be a potential penalty in\nwhich the state would have to provide its own funding should a mistake be made.\nMany reasonable state policy makers would oppose such an arrangement.\n\nAny decision should be made by weighing the probable benefits against the probable\nrisks. When applied to the question of deciding whether or not OIG will recommend\nrecovery of funds, there are no benefits and there are many risks. There are no benefits\nbecause this recovery of funds simply will not happen. The Nebraska legislature is not\ngoing to appropriate Nebraska taxpayer dollars to pay SSA for having done SSA work.\nNeither will the threat intimidate the DDS into following SSA directions for which\nSSA lacks regulatory authority. There are no other benefits. Meanwhile, there is\nconsiderable risk. The recommendation is inflammatory and without any possible\nconstructive consequence. Therefore DDS recommends that the OIG draft report be\namended to exclude any reference to recovery of funds.\n\nSANCTION LISTING\n\nOIG observed that DDS had only recently been reviewing the HHS OIG List of\nExcluded Individuals/Entities to make sure that we are not doing business with health\ncare providers who have been sanctioned by other federal agencies. OIG recommended\nthat DDS continue to use this listing.\n\nDDS agrees with the OIG finding and recommendation.\n\nINVENTORY CONTROL\n\nDDS disagrees with a number of OIG\xe2\x80\x99s observations and recommendations regarding\ninventory control.\n\nOIG Statement                                 DDS Response\nDDS could not locate two out of service       DDS did recover both laptops.\nlaptops, but later located one.\n\n\xe2\x80\x9cWe do not agree with the NE DDS\xe2\x80\x99             DDS made no such assertion. DDS believes\nassertions that they are exempt from          that it must abide by the POMS\ndocumenting SSA supplied computer             requirements for inventory control for all\nequipment into their inventory system.\xe2\x80\x9d       equipment including computer equipment.\n                                              POMS 39530.020 requires that DDS\nThese statements are made in the context      inventory all equipment whether purchased\nof determining whether or not DDS must        by SSA or by the state with SSA funds.\nmaintain a formal inventory of computer       DDS does follow this instruction. But\nequipment supplied by SSA with a unit         POMS 39530.001 D defines \xe2\x80\x9cequipment\xe2\x80\x9d as\ncost of less than $5000.                      an article having an acquisition cost of\n                                              $5000 or more.\n\nAlthough POMS 39530.001D does                 The POMS quoted by OIG does indeed say\n\n\n                                               D-5\n\x0cdefine equipment using a minimum per           that computer equipment must be\nunit acquisition cost, this same policy        considered separately. But it does not say\nsays that computer equipment must be           that it must be inventoried.\nconsidered separately.\n\nAdditional policy requires (POMS               Yes, but it does not define what an\n39563.200) requires an appropriate             appropriate system would be. This\ninventory and control mechanism to             reference is very general and we must defer\naccount for all property used for              to the more specifically worded sections\ndisability program purposes.                   that, taken together, say that items costing at\n                                               least $5000 must be inventoried.\n\nOIG has an opinion about what should be        But the POMS does not back up that\ninventoried.                                   opinion. If SSA has specific requirements it\n                                               should state them clearly in POMS and then,\n                                               provided that they do not conflict with a\n                                               higher authority, DDS will comply.\n\nDDSs contention that it does not own the       That is one fact in support of OIG\xe2\x80\x99s\ncomputer equipment is wrong. SSA\xe2\x80\x99s             interpretation. But there are others. First,\npolicy says that title rests with the state.   every piece of computer equipment that\n                                               SSA ships to DDS bears a sticker that says\n                                               \xe2\x80\x9cSSA \xe2\x80\x93 Property of the Federal\n                                               Government\xe2\x80\x9d. Second, if it were truly the\n                                               property of the state, it could be reassigned\n                                               from DDS to some other agency of state\n                                               government. Does OIG think that SSA\n                                               would stand still for that?\n\nWe recommend that SSA instruct the NE          To the extent that OIG is recommending\nDDS to immediately establish and               that SSA require DDS to conform to SSA\nmaintain equipment inventory in                requirements (once they are stated so that\ncompliance with the policies of SSA and        everyone knows what they are), DDS\nthe Nebraska Department of Education.          agrees. But the OIG recommendation seems\nWe also recommend that SSA verify the          to go further and to recommend that SSA\nNE DDS\xe2\x80\x99 new inventory system                   interject itself into the supervision of state\ncomplies with appropriate policies.            employees by taking actions to inspect state\n                                               compliance with state instructions. If this is\n                                               the intended meaning, then DDS strongly\n                                               disagrees that SSA should get involved in\n                                               state supervision of state practices.\n\nACCESS CONTROLS\n\nDDS does not agree with some of OIG\xe2\x80\x99s observations and recommendations regarding\naccess controls and concludes that OIG\xe2\x80\x99s recommendations are not support by POMS\n\n\n\n\n                                                D-6\n\x0cOIG Statement                                DDS Response\nDDS does not comply with SSA policies        OIG has mischaracterized and overstated\nfor cleaning services which require either   what the POMS actually says. 39566.010A\na \xe2\x80\x9cclean desk\xe2\x80\x9d policy or daytime             prefaces all succeeding guidelines by saying\ncleaning. OIG cites POMS                     that the contents of the section are\n39566.010B2a and B6e as its source.          discretionary. The specific sections\n                                             referenced by OIG say \xe2\x80\x9coffices should\n                                             implement a clean desk policy or daytime\n                                             cleaning\xe2\x80\x9d and \xe2\x80\x9cthe office should be cleaned\n                                             during work hours\xe2\x80\x9d. DDS believes that SSA\n                                             chose the term \xe2\x80\x9cshould\xe2\x80\x9d when the term\n                                             \xe2\x80\x9cmust\xe2\x80\x9d was available and intentionally\n                                             labeled the guidelines as discretionary.\n                                             POMS does not support the OIG\n                                             recommendation.\n\nNon agency employees such as                 DDS feels that the use of PINs and\ncleaning personnel must not have             passwords is sufficient to prevent non\naccess to claimant data and computer         agency personnel access to the sensitive\nequipment used for data input or             information.\nstorage per POMS 39566.030B.\n\nINCOMPLETE SECURITY PLAN\n\nOIG observed that the DDS security plan was incomplete and recommended the\ndevelopment of a security plan in accordance with SSA policy.\n\nSSA\xe2\x80\x99s requirements for security planning have been something of a moving target and\nDDS has not been able to keep up. DDS does accept this finding and will work with\nthe SSA RO to update and complete our security plan.\n\nDRP NOT TESTED\n\nOIG observed that the DDS disaster recovery plan has not been tested and\nrecommended that SSA and DDS work together to test the DRP.\n\nDDS agrees with the OIG finding and recommendation.\n\nThank you for the opportunity to comment on the draft. Depending on the extent to\nwhich the language in the final report is modified in view of these comments, DDS\nrequests that these comments be included as an appendix to the final audit report.\n\nSincerely,\n\nDouglas Willman\nDDS Administrator\n\n\n                                              D-7\n\x0c                                                                       Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Mark Bailey, Director, Kansas City Audit Division, (816) 936-5591\n\n   Ken Bennett, Information Technology Specialist, (816) 936-5593\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Doug Kelly, Auditor-in-Charge\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-07-07-17170.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Chief Counsel to the Inspector General (OCCIG), Office of External Relations (OER), and\nOffice of Technology and Resource Management (OTRM). To ensure compliance with policies and\nprocedures, internal controls, and professional standards, the OIG also has a comprehensive Professional\nResponsibility and Quality Assurance program.\n                                                 Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                           Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                          Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"